Ofcom guidance on security requirements in sections 105A to D of the Communications Act 2003
Guidance on s.105B – breach notification
4.1 Section 105B states the following:
Requirement to notify OFCOM of security breach 105B
(1) A network provider must notify OFCOM –
(a) of a breach of security which has a significant impact on the operation of a public electronic communications network, and –
(b) of a reduction in the availability of a public electronic communications network which has a significant impact on the network.
(2) A service provider must notify OFCOM of a breach of security which has a significant impact on the operation of a public electronic communications service.
(3) If OFCOM receive a notification under this section, they must, where they think it appropriate, notify—
(a) the regulatory authorities in other member States, and
(b) the European Network and Information Security Agency (“ENISA”).
(4) OFCOM may also inform the public of a notification under this section, or require the network provider or service provider to inform the public, if OFCOM think that it is in the public interest to do so.
(5) OFCOM must prepare an annual report summarising all notifications received by them under this section, and any action taken in response to a notification.
(6) A copy of the annual report must be sent to the European Commission and to ENISA.
General comments on reporting
4.2 It is important that CPs have adequate processes in place to ensure that reporting is routinely performed and that this reporting continues even when experienced staff are absent from work.
4.3 In relation to the initial notification of an urgent incident, we accept that, particularly out of hours, this will be a best efforts activity and not always possible given timing and resource constraints. In the event that we have not received a notification from a CP, and become aware of an incident appearing to us to be urgent, we will normally seek to make enquires via the contact point we have been given by the CP.
4.4 Notifications about “urgent” incidents should be made via the agreed contacts, or the 24/7 reporting number outside of office hours. Details of Ofcom’s specific contact points will be provided separately to relevant CPs.
Download the full document - Ofcom guidance on security requirements in sections 105A to D of the Communications Act 2003